Aller au contenu principal
Version: 22.04

Splunk Metrics

Hello community! We're looking for a contributor to help us translate this page into French. If it's you, let us know and ping us on our community platform The Watch.

Before starting

  • You can send events from a central server, a remote server or a poller.
  • By default, this stream connector sends metrics from host_status and service_status events. The event format is shown there.
  • Aformentioned events are fired each time a host or a service is checked. Various parameters let you filter out events.

Installation

Dependencies

Install Epel repository.

yum -y install epel-release

Install dependencies.

yum install luarocks make gcc lua-curl lua-devel

Lua modules

Install Centreon lua modules.

luarocks install centreon-stream-connectors-lib

Download Splunk metrics stream connector

wget -O /usr/share/centreon-broker/lua/splunk-metrics-apiv2.lua https://raw.githubusercontent.com/centreon/centreon-stream-connector-scripts/master/centreon-certified/splunk/splunk-metrics-apiv2.lua
chmod 644 /usr/share/centreon-broker/lua/splunk-metrics-apiv2.lua

Configuration

To configure your stream connector, you must head over the Configuration --> Poller --> Broker configuration menu. Select the central-broker-master configuration (or the appropriate broker configuration if it is a poller or a remote server that will send events) and click the Output tab when the broker form is displayed.

Add a new generic - stream connector output and set the following fields as follow:

FieldValue
NameSplunk metrics
Path/usr/share/centreon-broker/lua/splunk-metrics-apiv2.lua
Filter categoryNeb

Add Splunk mandatory parameters

Each stream connector has a set of mandatory parameters. To add them you must click on the +Add a new entry button located below the filter category input.

TypeNameValue explanationValue exemple
stringhttp_server_urlthe url of the Splunk service collectorhttps://mysplunk.centreon.com:8088/services/collector
stringsplunk_tokenToken to use the event collector api

Add Splunk optional parameters

Some stream connectors have a set of optional parameters dedicated to the Software that are associated with. To add them you must click on the +Add a new entry button located below the filter category input.

TypeNameValue explanationdefault value
stringsplunk_sourcetypeIdentifies the data structure of the event_json
stringsplunk_hostName or address of the server that generated the eventCentral
stringsplunk_indexIndex where the events are stored
stringsplunk_sourcesource of the http event collector. like http:<name_of_index>
stringlogfilethe file in which logs are written/var/log/centreon-broker/splunk-metrics.log
numberlog_levellogging level from 1 (errors) to 3 (debug)1

Standard parameters

All stream connectors can use a set of optional parameters that are made available through Centreon stream connectors lua modules.

All those parameters are documented here

Some of them are overridden by this stream connector.

TypeNameDefault value for the stream connector
stringaccepted_categoriesneb
stringaccepted_elementshost_status,service_status
numbermax_buffer_size30
numberhard_only0
numberenable_service_status_dedup0
numberenable_host_status_dedup0
stringmetric_name_regex[^a-zA-Z0-9_]
stringmetric_replacement_character_

Event bulking

This stream connector is compatible with event bulking. Meaning that it is able to send more that one event in each call to the Splunk REST API.

The default value for this stream connector is 30. A small value is more likely to slow down the Centreon broker thus generating retention.

TypeNameValue
numbermax_buffer_sizemore than one

Event format

This stream connector will send event with the following format.

service_status event

{
  "sourcetype": "_json",
  "source": "http:my_index",
  "index": "my_index",
  "host": "Central",
  "time": 1630590530,
  "fields": {
    "event_type": "service",
    "state": 2,
    "state_type": 1,
    "hostname": "my_host",
    "service_description": "my_service",
    "ctime": 1630590520,
    "metric_name: database.used.percent": 80,
    "instance": "my_db",
    "subinstance": ["sub_1", "sub_2"]
  }
}

host_status event

{
  "sourcetype": "_json",
  "source": "http:my_index",
  "index": "my_index",
  "host": "Central",
  "time": 1630590530,
  "fields": {
    "event_type": "host",
    "state": 1,
    "state_type": 1,
    "hostname": "my_host",
    "ctime": 1630590520,
    "metric_name: database.used.percent": 80,
    "instance": "my_db",
    "subinstance": ["sub_1", "sub_2"]
  }
}

Custom event format

You can"t change the format of the event for metrics oriented stream connectors.

Curl commands

Here is the list of all the curl commands that are used by the stream connector.

Send events

curl -X POST -H "content-type: application/json" -H "authorization: Splunk <splunk_token>" '<http_server_url>' -d '{"sourcetype": "<splunk_sourcetype>","source": "<splunk_source>","index": "<splunk_index>","host": "<splunk_host>","time": <epoch_timestamp>,"event": {"event_type": "host","state": 1,"state_type": 1,"hostname":"my_host","ctime": 1630590520,"metric_name: database.used.percent": 80,"instance": "my_db","subinstance": ["sub_1", "sub_2"]}}'

You must replace all the <xxxx> inside the above command with their appropriate value. <splunk_sourcetype> may become _json.